1 From dfad796450e2a215b9c8c96629da8439e5052983 Mon Sep 17 00:00:00 2001
2 From: oracle <solaris@oracle.com>
3 Date: Mon, 3 Aug 2015 14:36:13 -0700
4 Subject: [PATCH 10/34] PAM conversation fix
7 # This patch contains an important bug fix for the PAM password userauth
8 # conversation function. This bug fix was contributed back to the upstream in
9 # 2009, but it was not accepted by the upstream. For more information, see
10 # https://bugzilla.mindrot.org/show_bug.cgi?id=1681.
13 auth-pam.c | 36 ++++++++++++++++++++++++++++++++++++
14 1 file changed, 36 insertions(+)
16 diff --git a/auth-pam.c b/auth-pam.c
17 index 8425af1..92c3b1c 100644
20 @@ -1112,11 +1112,13 @@ free_pam_environment(char **env)
26 * "Blind" conversation function for password authentication. Assumes that
27 * echo-off prompts are for the password and stores messages for later
32 sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
33 struct pam_response **resp, void *data)
34 @@ -1138,12 +1140,24 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
35 for (i = 0; i < n; ++i) {
36 switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
37 case PAM_PROMPT_ECHO_OFF:
40 + * PAM conversation function for the password userauth
41 + * method (non-interactive) really cannot do any
42 + * prompting. We set the PAM_AUTHTOK item in
43 + * sshpam_auth_passwd()to avoid conversation. If some
44 + * modules still try to converse, then the password
45 + * userauth will fail.
49 if (sshpam_password == NULL)
51 if ((reply[i].resp = strdup(sshpam_password)) == NULL)
53 reply[i].resp_retcode = PAM_SUCCESS;
58 len = strlen(PAM_MSG_MEMBER(msg, i, msg));
59 @@ -1179,6 +1193,9 @@ static struct pam_conv passwd_conv = { sshpam_passwd_conv, NULL };
61 sshpam_auth_passwd(Authctxt *authctxt, const char *password)
66 int flags = (options.permit_empty_passwd == 0 ?
67 PAM_DISALLOW_NULL_AUTHTOK : 0);
69 @@ -1198,6 +1215,15 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
70 options.permit_root_login != PERMIT_YES))
71 sshpam_password = badpw;
74 + sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, password);
75 + if (sshpam_err != PAM_SUCCESS) {
76 + debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
77 + pam_strerror(sshpam_handle, sshpam_err));
82 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
83 (const void *)&passwd_conv);
84 if (sshpam_err != PAM_SUCCESS)
85 @@ -1206,6 +1232,16 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
87 sshpam_err = pam_authenticate(sshpam_handle, flags);
88 sshpam_password = NULL;
91 + set_item_rtn = pam_set_item(sshpam_handle, PAM_AUTHTOK, NULL);
92 + if (set_item_rtn != PAM_SUCCESS) {
93 + debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
94 + pam_strerror(sshpam_handle, set_item_rtn));
100 if (sshpam_err == PAM_MAXTRIES)
101 sshpam_set_maxtries_reached(1);